FCC around and find out.

Chaos and security concerns continue in Washington. Spanish authorities arrest a man suspected of hacking NATO, the UN, and the US Army. A major U.S. hiring platform exposes millions of resumes. Another British engineering firm suffers a cyberattack. Cisco patches multiple vulnerabilities. Cybercriminals exploit SVG files in phishing attacks. SparkCat SDK targets cryptocurrency via Android and iOS apps. CISA directs federal agencies to patch a high-severity Linux kernel flaw. Thailand leaves scamming syndicates in the dark. Positive trends in the fight against ransomware. Our guest is Cliff Crosland, CEO and Co-founder at Scanner.dev, discusses the evolution of security data lakes and the "bring your own" model for security tools. Don’t eff with the FCC.

Today is Thursday February 6th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Chaos and security concerns continue in Washington. 

Elon Musk’s Department of Government Efficiency (DOGE) has gained access to restricted U.S. government records on millions of federal employees, including Treasury and State Department officials in sensitive security roles, The Washington Post reports. According to anonymous sources, DOGE’s involvement raises concerns about potential misuse of personnel data amid threats of retaliation against federal workers by Trump administration officials.

The Office of Personnel Management (OPM) holds sensitive employee data, including addresses, salaries, and disciplinary records. DOGE agents, some in their early 20s with ties to Musk’s private companies, were granted administrative access to OPM systems shortly after Trump’s inauguration. This access allows them to install software, alter records, and potentially transfer data externally. There is no evidence they have done so, but officials are alarmed at the risk.

DOGE’s arrival has disrupted OPM, with mass staff reductions planned, including the removal of key IT and financial executives. Tensions have risen between DOGE agents and career officials, contributing to low morale. The halt of IT upgrades and DOGE’s access to government networks increase security vulnerabilities, reminiscent of past cyber breaches, such as China’s 2014 theft of U.S. security clearance records.

Security experts warn that foreign adversaries could exploit the chaos, as DOGE’s access extends to Treasury’s payment systems, which contain classified expenditure details. The Senate Intelligence Committee has demanded transparency on DOGE’s vetting process and system access. Meanwhile, a lawsuit challenges OPM’s privacy policies, arguing that unencrypted government-wide email deployments create security risks. Experts fear that foreign intelligence services could infiltrate DOGE due to its rapid and opaque hiring process.

Spanish authorities arrest a man suspected of hacking NATO, the UN, and the US Army. 

Spanish authorities have arrested an 18-year-old suspected hacker for cyberattacks on over 40 organizations, including NATO, the UN, and the US Army. The suspect allegedly leaked stolen data and managed over 50 cryptocurrency accounts. Investigators believe he used multiple online aliases, including “Natohub,” who claimed breaches on BreachForums. Between June 2024 and January 2025, Natohub posted 18 times about data breaches, sometimes selling or freely sharing stolen information. Authorities seized electronic devices during the arrest.

A major U.S. hiring platform exposes millions of resumes. 

Foh&Boh, a US hiring platform used by major brands like KFC, Taco Bell, and Nordstrom, exposed millions of job applicants’ resumes due to an unsecured AWS bucket. The leaked data included full names, contact details, birth information, employment history, education, and social media links. Cybersecurity researchers warn that the breach increases the risk of identity theft, allowing criminals to create fraudulent accounts or launch targeted phishing scams. Attackers could impersonate past employers to trick victims into revealing financial details or installing malware. Scammers might also exploit financially vulnerable individuals with deceptive job offers. The exposed dataset contained 5.4 million files, but after multiple warnings, the company secured the database. 

Another British engineering firm suffers a cyberattack. 

British engineering firm IMI has disclosed a cybersecurity incident shortly after rival Smiths Group reported a similar attack. IMI, which designs industrial automation and transport products, confirmed unauthorized access to its systems in a London Stock Exchange filing. The company has engaged cybersecurity experts to investigate and contain the breach. IMI declined to comment on potential data exfiltration. Meanwhile, Smiths Group is also working to recover from an attack, with neither company providing a recovery timeline.

Cisco patches multiple vulnerabilities. 

Cisco has released patches for multiple vulnerabilities, including two critical flaws in its Identity Services Engine (ISE). Tracked as CVE-2025-20124 and CVE-2025-20125, these bugs could allow authenticated attackers to execute arbitrary commands and tamper with device configurations. Patches are available in ISE versions 3.1P10, 3.2P7, and 3.3P4, with no workarounds. Additionally, Cisco warned of high-severity SNMP vulnerabilities in IOS, IOS XE, and IOS XR, which could cause denial-of-service (DoS) attacks. Patches are expected by March. Medium-severity flaws affecting various Cisco products were also addressed. No active exploits have been reported.

Cybercriminals exploit SVG files in phishing attacks. 

Researchers at Sophos say cybercriminals are exploiting Scalable Vector Graphics files in phishing attacks to bypass email security filters. SVG files, unlike typical image formats, can contain embedded links and scripts that direct victims to phishing sites. Attackers disguise these files as legal documents, voicemails, or invoices, using familiar brands like DocuSign and Microsoft SharePoint. Once opened, the file redirects users to fraudulent login pages that steal credentials. Some attacks also deliver malware or leverage CAPTCHA gates to evade detection. Researchers identified evolving tactics, including localized phishing pages and embedded keystroke loggers. Security experts recommend setting SVG files to open in Notepad instead of a browser and carefully checking URLs for legitimacy. Sophos suggests organizations should update email security solutions to detect malicious SVG attachments and prevent credential theft.

SparkCat SDK targets cryptocurrency via Android and iOS apps. 

A malicious software development kit (SDK) called SparkCat has been discovered in Android and iOS apps, stealing cryptocurrency wallet recovery phrases using optical character recognition (OCR). The malware, hidden in SDKs named “Spark,” “Gzip,” “googleappsdk,” and “stat,” extracts sensitive text from images on devices, enabling attackers to access crypto wallets. On Google Play alone, the infected apps were downloaded over 242,000 times, with some still available on both Google Play and the App Store.

Kaspersky identified 18 Android and 10 iOS infected apps, with attackers using a Rust-based module for communication with command-and-control (C2) servers. Users are advised to uninstall affected apps immediately, scan devices with antivirus software, and avoid storing recovery phrases in screenshots. Instead, use offline, encrypted storage for security. Google and Apple have yet to respond.

CISA directs federal agencies to patch a high-severity Linux kernel flaw. 

CISA has ordered U.S. federal agencies to patch a high-severity Linux kernel flaw (CVE-2024-53104) within three weeks due to active exploitation. The vulnerability, found in the USB Video Class (UVC) driver, enables privilege escalation on unpatched devices. Google patched it for Android users, warning of limited, targeted attacks. Security experts believe forensic tools may be exploiting this flaw. CISA also flagged critical vulnerabilities in Microsoft .NET and Apache OFBiz, urging manufacturers to enhance network forensic visibility to aid cyber defense.

Thailand leaves scamming syndicates in the dark. 

On Wednesday, Thailand took a decisive step against online scamming syndicates by cutting off electricity, fuel, and internet to key scam hubs in Myawaddy, Payathonzu, and Tachileik, Myanmar. These enclaves, run by organized crime groups, have become centers for cyber fraud targeting victims worldwide.

The move follows pressure from China’s Assistant Minister of Public Security, Liu Zhongyi, who urged Thailand to intensify its crackdown. Liu revealed that 36 Chinese-run scam operations in Myanmar employ over 100,000 workers, many trafficked and forced into fraud. The high-profile rescue of Chinese actor Wang Xing from one of these compounds heightened scrutiny.

Thailand’s Prime Minister Paetongtarn Shinawatra defended the action, citing the scams’ $2 million daily impact on Thailand’s economy. The crackdown aligns with her visit to China, where both nations pledged stronger law enforcement cooperation to combat cross-border cybercrime.

Positive trends in the fight against ransomware. 

At the start of 2024, ransomware groups seemed as powerful as ever, pulling in hundreds of millions of dollars in extortion payments. But as the year progressed, something shifted. Law enforcement agencies, cybersecurity firms, and victims themselves began pushing back harder than ever before. By year’s end, ransomware payments had dropped 35% from the previous year, marking the first significant decline in years.

According to research from Chainalysis, it wasn’t just government action that slowed ransomware operators. Victims became more resilient, with more organizations refusing to pay and instead relying on backups to recover their data. Ransomware gangs adapted, working faster than ever—sometimes beginning negotiations within hours of an attack. But even with these tactics, the market fractured. The collapse of LockBit and BlackCat, two of the biggest ransomware groups, left a void that no single group was able to fill.

New players emerged. Groups like Akira and Fog stepped into the spotlight, specializing in exploiting VPN vulnerabilities to infiltrate corporate networks. Meanwhile, Iranian-linked ransomware strains rebranded and resurfaced, proving that attackers were not giving up—they were just adapting.

Financially, ransomware groups faced another hurdle: moving their money. In the past, they relied on cryptocurrency mixers to launder their earnings, but after sanctions and takedowns of services like Tornado Cash, they turned to cross-chain bridges and centralized exchanges instead. However, even this became riskier as governments cracked down on crypto platforms with loose know-your-customer policies. 

Perhaps the most telling sign of ransomware’s changing landscape was LockBit’s desperate attempt to stay relevant after being hit by Operation Cronos. The once-dominant group resorted to reposting old victims, inflating their numbers in a bid to maintain their reputation.

Despite the decline in payments, ransomware is far from defeated. The criminals behind these attacks are still out there, learning, adapting, and searching for new ways to evade security measures. But for the first time in years, defenders seem to have the upper hand—and that’s worth celebrating. 

 

We’ve got our Industry Voices segment after the break. I’m joined by Scanner.dev (scanner dot dev) CEO and Co-founder Cliff Crosland to talk about the evolution of security data lakes and the "bring your own" model for security tools. And, impersonating the FCC to scam (wait for it) the FCC! We’ll be right back.

Welcome back.

Don’t F with the FCC. 

And finally, our FCC around and find out desk tells us the FCC has proposed a $4.5 million fine against VoIP provider Telnyx for allegedly letting scammers impersonate a fictitious “FCC Fraud Prevention Team”—which, spoiler alert, doesn’t exist.

The MarioCop robocallers (yes, that’s what they called themselves) made 1,797 fake FCC calls in two days, even targeting FCC staff and their families. Their calls threatened victims with jail time unless they coughed up $1,000 in Google gift cards—because nothing says “government fine” like digital Monopoly money.

The FCC blames Telnyx for lax customer verification, claiming they failed to do proper Know Your Customer (KYC) checks. Telnyx, however, fired back, calling the FCC’s accusations “factually mistaken” and insisting they went above and beyond compliance rules.

While the fine looms, one thing’s clear: Scammers will scam, the FCC will fine, and nobody should ever pay government fees in gift cards.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.